20 of the Best IT Security Lessons Ever Learned

After working in information security for many years, we’ve come to understand that change is infosec’s only constant. Systems, people, and the secure state of your company, the network, and its data are always in flux.

To keep up with the IT security’s ever-changing nature, we reached out to experts and practitioners to see if they could pass on what they’ve learned. We simply asked, “What’s the best advice you ever learned about IT security?”

What follows is a list of the best advice from security gurus, network administrators, and those responsible for securing company information. The lessons were passed down to them from real-world experience, a supervisor, an industry colleague, or in one case, a complete stranger.

Tip #1: Security must enable business, not prevent it

“I don’t know anything about what you do, for all I know, you are doing your job perfectly, but you have disabled my ability to do my job,” said a company executive to Stewart Allen, now an Information Security Consultant at Metrolinx.

Not immediately understanding the impact of that statement, Allen shot back with the retort, “Yes I am doing a good job. Our data is secure. So deal with it.”

The executive responded, “Well Stewart, I issue you a challenge! Find a way to use your security skills to enable business people like myself to work better, while still keeping our information secure.”

Allen admitted he initially ignored the comment, but it played in his mind for weeks until he came in one weekend and rewrote the entire firewall policy to enable business flexibility while still keeping data secure.

The executive’s challenge changed his career. He wouldn’t be the consultant he is today if it weren’t for that advice. As a result, Allen’s security motto is: “I enable business through the effective use of information security practices.”

Here’s a video we shot at the 2012 RSA Conference where we asked attendees, “What’s the best security advice you’ve ever received?”

Tip #2: Work with people. Don’t fight them.

“Technology has come to a point (almost) where the employees don’t need the IT department. So the security professionals are fighting to keep the employees in and it is like trying to hold a handful of water. They do what they want to,” realized Kevin Jones (@KevinDJones), Social Media Strategist for NASA/Dynetics.

“We try so often to fight against people and put in place more technologically advanced systems,” said Jones. “If you want to keep your information secure, work with the people.”

“Working with the people” means understanding users’ motivation and behavior. “What’s the reasoning behind why they do what they do,” said Jones.

It’s not easy to come to agreement, admitted Jones, who has taken months to work with security in partnership to take down the walls, understand the user more intimately, and thus change the traditional security perspective.

Echoing the need to understand users’ motivations, Daniel Blander (@djbphaedrus), President of Techtonica, Inc., has been moved by the advice of motivational speaker, Tony Robbins about understanding people’s basic motivations, such as issues of certainty, uncertainty, significance, love, connection, growth, and contribution.

“I use [Robbins’ advice] every day in my consulting and my day-to-day activities so I can understand someone’s motivations, and temper my frustration with bad behavior,” said Blander.

Tip #3: Problems first, then solutions

“Don’t try to find a solution until you’ve understood the problem,” advised a veteran IT executive to Norman D. Marks (@normanmarks), VP, Evangelist for Better Run Business at SAP.

“From an IT security perspective, this means that you need to understand the risk before determining the level of security measures to apply,” said Marks.

When Marks was at Solectron, the lead managers for both physical and IT security wanted Marks to solicit funds to encrypt all the executive laptops across the company. While that sounded like a worthwhile endeavor, Marks asked if they had completed a corporate-wide information security risk assessment. They hadn’t. Instead of just accepting the seemingly reasonable request, Marks researched the situation only to discover that basic user access provisioning was broken.

“They wanted to close the windows when the front and back doors were open,” realized Marks.

Tip #4: Teach the basics again and again

“Never be afraid to discuss the simplest things—things you may think are already known, or that you consider common sense—and repeat them frequently,” said Aryeh Goretsky (@goretsky), Distinguished Researcher at ESET.

Instead of chasing the latest and greatest threat, a common practice in the security field, you can be far more effective just educating personnel about simple secure practices, over and over again, said Goretsky.

“It can be easy to forget about doing the most basic security things right,” echoed Jacob Kitchel (@i_defender), Senior Manager of Security and Compliance at Industrial Defender. “Taking care of the basics first, and ensuring sufficient logging, has allowed me to help customers ‘right the ship’ and gain perspective on what exactly is happening in their environments.”

Tip #5: Data security and privacy starts with employees

“It doesn’t matter what firewall or intrusion detection you use if your employees don’t understand the significance of data privacy and protection,” said Anthony R. Howard, IT consultant and author of “The Invisible Enemy: Black Fox.”

“No one in your organization will care about data security, privacy policies, intellectual property protection, or data breach until you tell them why it’s important, how it can impact them, and then tell them what to do to prevent it,” advised Howard who suggests basic training, such as a webinar, to explain how they personally can protect themselves and their company from data theft.

What you ultimately want to do is create a mutually beneficial privacy culture that can be applied to both your business, and the employees’ personal life, said Howard.

Tip #6: Mistakes happen, especially by you

“Trust no one, especially yourself. Check, recheck, check again,” was the advice a physical security professional gave to Catalin Tutunaru, a freelance ICT consultant.

The advice has been a backbone of Tutunaru’s consulting business as he realizes there’s an inherent unavoidable weaknesses in the people hired to protect networks.

“The ICT community is very young and the experience collected is much smaller than the power they control,” Tutunaru said.

Tip #7: To get respect, you’ll need a few shots fired at you

“You won’t be truly appreciated until you manage a security breach,” said Sean Jackson (@shunkydave), Security Engineer at DigiCert who learned that advice from a fellow security professional.

“I immediately changed my focus from preventing the unknown to preparing to manage what I did know,” said Jackson.

While working at @stake, a security consultancy Jaquith helped found in 1999, he learned from his colleagues and watching guys at the hacker collective, L0pht, to always put yourself in the attacker’s shoes when thinking about security.

“It’s not about checking the box, making the auditor happy or following ‘best practices.’ It’s about repelling the wily hacker,” said Jaquith who used this ‘put yourself in the attacker’s shoes’ attitude to work, by trying to break into systems.

“There was not a system our people couldn’t get into, and it all came back to that single point: having the right mindset,” said Jaquith. “We used the insights we gained from successful attacks to help our customers be more secure.”

Tip #9: Backup your data…away from the data source

Early in his security career as a Linux sysadmin, Anton Chuvakin, (@anton_chuvakin), Research Director at Gartner learned, “Everything will fail: prevention, detection, response, the data center will explode, the DoS will flood your connection, auditors will find fault, and attackers will steal your fighter plans. But you will always have backups! Which means you can always get back to life.”

Not all backups are equal though. For months, Jay Walker (@Conteggo) was backing up his laptop on a thumb drive and kept both the laptop and the USB drive in his laptop bag. He was so proud of himself for being so conscientious until a stranger advised him as to how foolish a practice that was. If he ever lost that bag, he’d be fried.

Soon after that conversation, that scenario, through theft, happened to a family member. That stranger’s advice indirectly led to him launching his online backup service company, Conteggo.

Tip #10: If it’s online, you can’t be certain it’s private

“Never assume anything you put on the Internet is private, even if it hasn’t been shared with anyone,” said Josh Ogle (@joshogle), Founder of Fresh Spin Advertising who believes this personal tenet has had a demonstrable impact on his business and career.

Working in advertising, Ogle has clients who entrust their very sensitive intellectual property to his company. When they pitch a client they make it clear they will never put anything sensitive of theirs online, and he knows of two occasions where that differentiator led companies to choose his boutique ad agency over competitors.

Tip #11: In a business vs. security battle, business is always right

“When security gets in the way of the mission, security is wrong, not the mission,” said Keith Palmgren (@kpalmgren), President of NetIP.

“In the corporate environment, the fundamental mission is revenue,” said Palmgren. “Put security in place that prevents revenue generation and the boss will tell you exactly how wrong you are and how little time you have to fix it.”

Watching others make this misstep many times, Palmgren quickly learned that repeatedly hindering the business with security can be a career limiting move.

Tip #12: A business must balance some risk in order to profit

When Patrick C Miller (@PatrickCMiller), President and CEO of the Energy Sector Security Consortium, was a young and overzealous security pro, an executive at another company once said to him that his answer to every project, initiative, and “Can we do this?” question was always “no.” Eager not to be hindered by security, the executive challenged Miller.

“What I want to hear is: ‘yes, if’ instead of ‘no,’” said the executive.

Miller finally realized that the organization is balancing risk in order to profit and it changed his complete outlook of how he communicates.

“I was finally able to speak to the executive layer in a language they would understand and respond to – which never happened when I spoke in technical security terms,” Miller said.

“You have to accept that fact that as a security professional you can’t always get what you want, but you can help the business get what it needs,” said Andrew Storms (@st0rmz), Director of Security Operations for nCircle, who had a similar enlightened experience as Miller.

“Your job as a security professional is to in help the business understand the role information security risk plays in the way your specific organization conducts its business,” said Storms who now thinks more strategically about how he frames conversations about security with executives.

TIP #13: Business first, then security

Similar to the previous tip is the importance of first knowing what you’ve been hired to protect.

“It’s important to understand the business before you can secure it,” said Terry L. Perkins, who does information security at a large resell bookstore.

To build appropriate, justifiable defenses around information assets, Frank Marsh, Director of Cyber and Information Security at Burrill Green, advises, “Understand what information drives your business or organization, where it is (both digitally and physically), and why it needs protecting.”

TIP #14: Educate users about good password security

Heeding advice from notorious hacker, Kevin Mitnick, Bill Bernat (@microvation), Web Publisher at OpenText, focuses on basic password security. For starters that means use unique/random passwords – no “God” passwords for multiple accounts, no writing passwords on PostIt notes, no sharing passwords, and no saying them out loud on the phone or over email.

For Bernat, the advice has meant he’s never made any huge mistakes.

“You could build the most brilliant system ever and if you don’t make backups or change the default password that could kill your career in an afternoon,” warned Bernat.

Tip #15: Be wary of how much authority you give to a consultant

Even if you’re a small company that doesn’t fully understand how your IT project functions, don’t give all the power to a programming consultant, advised Diana Moy (@arteefact), Visual/Information Designer at Artefacts.us who has seen her clients’ operations be completely vulnerable to the unpredictability of a consultant.

You never know what could happen, said Moy. A programmer could get sick, disappear, or simply walk away with your code and content. Protect your business by setting up your system so that you have master control over the web server and database.

“If you’re an IT professional, make sure you give this advice to your client. It’s a good way to build trust,” said Moy.

Even after covering all the basics of securing his network, Park still gets solicitations from software sales reps telling him about the importance of a certain product or why he needs to install a certain piece of software.

“Too much security software can bog down your operating system, and it can be quite costly. I need to save money for my business in any way possible,” said Park. “Playing it simple but safe in regards to IT security is one way to do that.”

Tip #17: Make the cost of breaking in higher than the benefit

One hundred percent security is an impossibility as most security pros have come to accept. “If someone wants to break in bad enough, eventually they will,” said Dave Sroelov,President at A & S Computer Services.

“Make the effort of breaking into your systems and data much higher than any potential rewards gained by it,” said Matthew Hemmings (@RockfordIT), 3rd Line Technical Support/Systems Team at Rockford IT.

“There are only two things you can do about [managing your data security],” said Sroelov of dealing with intruders to your network. “First, make it as difficult as possible, and second, make sure they leave a trail behind them.”

Tip #18: Record as much activity as you can

Echoing Sroelov’s last piece of advice in the previous tip, Kitchel of Industrial Defender advises companies to “squeeze every bit of information out of your environment. Log and record every event that you have disk space for. Then buy more disk space and log some more.”

“You may not be a security wizard or have one employed in your organization,” said Kitchel, “But when something goes wrong and you have to hire professionals to figure it out, extensive event logging will allow the pros to more easily figure out the pieces.”

Tip #19: Destroy and recycle electronics correctly

We focus so much data security effort on the equipment that’s currently being used to access our network. But what about the devices that are no longer sharing data, but have data on them, such as old cell phones, photo copiers, computers?

“While this data may have been stored in a hardened, protected environment through its lifetime, [but once decommissioned] it would now be in the wild and open to anyone with the know-how to recover improperly-wiped data,” said Brian Brundage, CEO of Intercon Solutions.

“Dispose [your devices] through a process that tracks and verifies the destruction of your data, from pick-up to physical destruction,” said Brundage whose company offers this very recycling service.

Tip #20: Security is everyone’s responsibility

While all of this security advice is useful, it’s important to understand that security is not one person’s job for others to not worry about. It’s everyone’s responsibility and therefore everyone is susceptible to the same weakness.

“We can have the best policy, the best processes, and the best procedures using technologically sound tools yet still be vulnerable to the biggest security problem of all – humans,” said Adam Montville (@adammontville), Security and Compliance Architect for Tripwire.

Montville learned this valuable lesson while working at the Department of Defense after yet another “out-of-policy” incident occurred. Shaking his head with a “not again” realization, the DoD’s Information System Security Manager let Montville know, “This happens far more often than you might imagine, and it’s because humans are still humans wherever you go.”

“All the electronic locks and passkeys won’t help if you hold the door open and let someone through with you,” said Heather Wilde (@heathriel) Director of Technical Support for Evernote. “Personal responsibility is the most important tool in the security arsenal. Security starts and ends with you.”

Conclusion: What’s the best infosec lesson you’ve learned?

We’re sure we haven’t covered every single piece of useful advice. Heck, here’s one right now:

Install patches and updates.

Still, with all the advice we know that’s missing, we wrote this article in an effort to share the knowledge, wisdom, and experience of fellow IT security pros, and we hope it sparks a discussion here in the comments.

Please, if you’ve got a piece of advice that tags on to one of the above 20 tips or is one of your own, let us know. We’d all like to learn and better protect ourselves and our businesses. Thank you.